| From: | Vik Fearing <vik(at)postgresfriends(dot)org> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Setting ACL |
| Date: | 2020-03-03 18:13:04 |
| Message-ID: | 48f9156d-3937-cf47-13ee-ac4e90c83c43@postgresfriends.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 03/03/2020 19:02, Tom Lane wrote:
> Vik Fearing <vik(at)postgresfriends(dot)org> writes:
>> I have a few questions about setting acl on SQL level.
>> Is it safe to do something like
>> UPDATE pg_class SET relacl = $1 WHERE oid = $2;
>> ?
>
>> I don't think it is because ExecGrant_* call updateAclDependencies after
>> they do the update and my own update would not do that. But is it safe
>> to do my update if I'm not touching anything in pg_global?
>
> Well, it'll work, but the system won't know about the role references
> in this ACL item, so for instance dropping the role wouldn't make the> ACL go away. Which might cause you dump/reload issues later.
Ok, so not safe. Should we remove makeaclitem() then?
>> And finally, would there be any interest in a function like
>> aclset("char", oid, aclitem[]) and does this properly?
>
> Not really, when GRANT is already there ...
So I have to manually do a diff of the two acls and generate
GRANT/REVOKE statements? That's not encouraging. :(
--
Vik Fearing
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2020-03-03 18:25:30 | Re: Setting ACL |
| Previous Message | David Steele | 2020-03-03 18:10:26 | PG14 target version? |